Method for tracing traitor receivers in a broadcast encryption system

ABSTRACT

A method for tracing traitor receivers in a broadcast encryption system. The method includes using a false key to encode plural subsets representing receivers in the system. The subsets are derived from a tree using a Subset-Cover system, and the traitor receiver is associated with one or more compromised keys that have been obtained by a potentially cloned pirate receiver. Using a clone of the pirate receiver, the identity of the traitor receiver is determined, or the pirate receiver clones are rendered useless for decrypting data using the compromised key by generating an appropriate set of subsets.

BACKGROUND OF THE INVENTION

[0001] 1. Field of the Invention

[0002] The present invention relates generally to broadcast dataencryption that uses encryption keys.

[0003] 2. Description of the Related Art

[0004] Various broadcast encryption systems have been proposed forencrypting content that is broadcast to potentially millions ofreceivers using recorded media such as CDs and DVDs, or via wirelessbroadcast methods such as satellite broadcasts. These systems areintended to encrypt content such that only authorized receivers (alsoreferred to as “users” and “player-recorders”) can decode and play thecontent, but software- or hardware-implemented pirate devices (alsoreferred to as “clones” and “evil devices”) that somehow manage toobtain a valid decryption key from an authorized device (“traitor”)nonetheless cannot decrypt and play the content.

[0005] An example of such a system is disclosed in the presentassignee's U.S. Pat. No. 6,118,873, incorporated herein by reference. Asset forth therein, only authorized player-recorders can play and/or copythe content and only in accordance with rules established by the vendorof the content. In this way, pirated copies of content, which currentlycost content providers billions of dollars each year, can be prevented.

[0006] Another example of a broadcast encryption system is the “SubsetCover” system disclosed in the present assignee's co-pending U.S. patentapplication serial no. [docket no. ARC9200100_US), incorporated hereinby reference. This latter system, details of which are set forth belowfor illustration, is directed to the difficult scenario of “stateless”receivers, i.e., receivers that do not necessarily update theirencryption state between broadcasts to accept countermeasures againstpirate devices. For example, a television that subscribes to a paychannel might have its set-top box deenergized for a period of timeduring which updated encryption data might be broadcast over the system.Such a device would be rendered “stateless” if it happens to be unableto update itself after being reenergized, and would not receive updatesthat would be necessary for future content decryption. Another exampleof a stateless receiver would be a player-recorder of CDs and DVDs,which ordinarily does not interact with other system components andwhich will not receive every possible piece of encryption data updates,since no player receives every vended disk.

[0007] As recognized by the present invention, decryption keys inbroadcast encryption systems can become compromised, enablingunauthorized pirate devices to decrypt content. Such pirate devices canbe implemented in hardware or in software, and in the latter case can beposted on the Internet for free downloading to anyone who wants toobtain proprietary content without paying for it. In any case, thepresent invention is directed to countering the propagation of pirateclones by either finding the identities of system receivers (“traitors”)whose keys have been obtained by the pirate, or to render pirate clonesuseless by finding an encryption that cannot be decrypted by the clonesbut that can be decrypted by authorized users.

[0008] The present invention is particularly (but not exclusively)focussed on the problem of tracing traitors in the Subset-Cover system.Unlike the system of the above-referenced '873 patent, in theSubset-Cover system no key overlap exists between devices. One result ofkey overlap is that in the patented '873 system, it is perfectly normalin operation that some device keys will correctly decrypt content andsome will not, so that a clone cannot ascertain whether it is beingtested simply by observing whether messages being sent to it cannot bedecrypted with all its keys. This is not true in the Subset-Coversystem, since every device has at least one unique key. Consequently, ifa clone obtains keys from multiple traitors, and if one key from onetraitor is properly decrypting content while another key from anothertraitor is not, the clone can deduce that it is under test.

[0009] Once a clone deduces it is under test, it can undertake any oneof a number of countermeasures, such as switching identities betweentraitors, or even self-destructing. Of course, in the case ofself-destruction the licensing agency can simply obtain another clonefor further (modified) testing, but this takes time. With these criticalobservations in mind, the present invention has provided the belowsolutions to one or more of the observations.

SUMMARY OF THE INVENTION

[0010] The invention includes a computer system for undertaking theinventive logic set forth herein. The invention can also be embodied ina computer program product that stores the present logic and that can beaccessed by a processor to execute the logic. Also, the invention is acomputer-implemented method that follows the logic disclosed below.

[0011] A computer is programmed to use a false key to encode pluralsubsets representing stateless receivers. At least one traitor receiverin the system is associated with a compromised key that has beenobtained by a cloned pirate receiver. Using a clone of the piratereceiver, the computer determines the identity of the traitor receiver,or renders the pirate receiver clones useless for decrypting data usingthe compromised key by generating an appropriate encryption strategy.

[0012] In another aspect, a method is disclosed for identifying atraitor receiver with an associated unique, compromised decryption keyin a broadcast encryption system. The method includes receiving a set ofsubsets derived from a tree defining leaves, with each leaf representinga respective receiver. Also, the method includes identifying a traitorsubset from the set of subsets as containing at least one traitorreceiver, and then, using the traitor subset, identifying the traitorreceiver.

[0013] In a preferred embodiment, the method includes determiningwhether the traitor subset represents one or more traitor receiver, andif so, dividing the traitor subset into two child sets, and identifyinga new traitor subset using the two child sets. The preferred method alsodetermines whether the traitor subset is a member of a frontier set, andif so, a complementary subset is removed from the frontier set.

[0014] The preferred way to identify a traitor subset includes encodingthe first j subsets of the set of subsets with a false key, and thenexecuting a binary search on the set of subsets using probabilities. Thebinary search ends by determining that the difference between aprobability p_(j) of decrypting a message when the first j subsetscontain the false key and the probability p_(j−1) of decrypting when thefirst j−1 subsets contain a false key is at least equal to apredetermined probability. Specifically, the traitor subset isidentified when |p_(j−1)−p_(j)|>p/m, wherein m is the number of subsetsin the set of subsets. The set of subsets is generated by a subset-coverscheme having the property that it generates subsets that can bebifurcated.

[0015] In another aspect, a computer program device includes logic meansfor accessing a tree to generate a set of subsets of the tree, the treeincluding leaves representing at least one traitor device characterizedby a compromised key. Logic means are provided for encrypting a falsekey j times and for encrypting a session key m-j times, wherein m is anumber of subsets in the set of subsets. Also, logic means areresponsive to the means for encrypting for identifying a traitor subset.Then, logic means use the traitor subset to identify the traitor device.

[0016] The details of the present invention, both as to its structureand operation, can best be understood in reference to the accompanyingdrawings, in which like reference numerals refer to like parts, and inwhich:

BRIEF DESCRIPTION OF THE DRAWINGS

[0017]FIG. 1 is a block diagram of the present system;

[0018]FIG. 2 is a flow chart of the overall encryption logic;

[0019]FIG. 3 is a flow chart of the overall decryption logic;

[0020]FIG. 4 is a flow chart of the key assignment portion of thecomplete subtree method;

[0021]FIG. 5 is a flow chart of the encryption portion of the completesubtree method;

[0022]FIG. 6 is a flow chart of the decryption portion of the completesubtree method;

[0023]FIG. 7 is a schematic diagram of a subset of a complete subtree;

[0024]FIG. 8 is a schematic diagram of a subset in the subset differencemethod; and

[0025]FIG. 9 is another form of a schematic diagram of the subset in thesubset difference method.

[0026]FIG. 10 is a flow chart of the logic for defining a cover in thesubset difference method;

[0027]FIG. 11 is a schematic diagram of a subset of a tree in the subsetdifference method. illustrating key assignment;

[0028]FIG. 12 is a flow chart of the decryption portion of the subsetdifference method;

[0029]FIG. 13 is a flow chart of the logic for assigning keys in thesubset difference method;

[0030]FIG. 14 is a schematic diagram of a subset of a tree in the subsetdifference method;

[0031]FIG. 15 is a flow chart showing the present tracing logic; and

[0032]FIG. 16 is a flow chart showing the subset tracing modules of thetracing logic.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0033] The present invention can be used with any one of a number ofbroadcast encryption methods. By way of non-limiting illustration, onesuch system—the Subset-Cover system—is first set forth, and then thepresent tracing algorithm is disclosed in terms of the Subset-Coversystem.

[0034] Referring initially to FIG. 1, a system is shown, generallydesignated 10, for generating sets of keys in a broadcast content guardsystem, such as but not limited to the system disclosed in theabove-referenced patent. By “broadcast” is meant the wide disseminationof a program from a content provider to many users simultaneously overcable (from a satellite source), or wire, or radiofrequency (includingfrom a satellite source), or from widely marketed content disks.

[0035] As shown, the system 10 includes a key set definition computer 12that accesses a key set definition module 14 that functions inaccordance with disclosure below. The key sets defined by the computer12 are used by potentially stateless player-recorder devices 16, alsoreferred to herein as “receivers” and “users”, that have processorsinside them to decrypt content. The content along with certain keysdisclosed below are provided to the respective devices via, e.g., devicemanufacturers 16 on media 17. A player-recorder device can access itskey set to decrypt the content on media or broadcast to it via wirelesscommunication. As used herein “media” can include but is not limited toDVDs, CDs, hard disk drives, and flash memory devices. In an alternativeembodiment, each receiver 16 could execute the module 14 to undertakethe step of calculating the below-disclosed “cover” by being given theset of revoked receivers and undertaking the logic set forth below.

[0036] It is to be understood that the processor associated with themodule 14 accesses the modules to undertake the logic shown anddiscussed below, which may be executed by a processor as a series ofcomputer-executable instructions. Two methods—the complete subtreemethod, and the subset difference method—are disclosed herein for usingthe system 10 to selectively revoke the ability of compromised receivers16 to decrypt broadcast content without revoking the ability of anynon-compromised receiver 16 to decrypt broadcast content.

[0037] The instructions may be contained on a data storage device with acomputer readable medium, such as a computer diskette having a computerusable medium with computer readable code elements stored thereon. Or,the instructions may be stored on a DASD array, magnetic tape,conventional hard disk drive, electronic read-only memory, opticalstorage device, or other appropriate data storage device. In anillustrative embodiment of the invention, the computer-executableinstructions may be lines of compiled C⁺⁺ compatible code.

[0038] Indeed, the flow charts herein illustrate the structure of thelogic of the present invention as embodied in computer program software.Those skilled in the art will appreciate that the flow charts illustratethe structures of computer program code elements including logiccircuits on an integrated circuit, that function according to thisinvention. Manifestly, the invention is practiced in its essentialembodiment by a machine component that renders the program code elementsin a form that instructs a digital processing apparatus (that is, acomputer) to perform a sequence of function acts corresponding to thoseshown.

[0039] The overall logic of the present invention as embodied by boththe subset difference method and complete subtree method can be seen inreference to FIG. 2. For purposes of the present disclosure, assume thatN receivers 16 exist in the system 10, and that it is desirable to beable to revoke the ability of r receivers in a revoked receiver subset Rto decrypt content even if the revoked receivers act in a coalition (bysharing encryption knowledge), such that any receiver can still decryptcontent. Commencing at block 19, the system is initiated by assigninglong-lived subset keys L₁, . . . , L_(w) to corresponding subsets in auniverse of subsets S₁, . . . , S_(w) into which receivers are groupedin accordance with the disclosure below, with each subset S_(j) thushaving a long-lived subset key L_(j) associated with it. In the first(“complete subtree”) method, the subsets covering receivers not in arevoked set are simply the subtrees that are generated per thedisclosure below. In the second (“subset difference”) method, thesubsets covering receivers not in a revoked set are defined by thedifference between a first subtree and a smaller subtree that isentirely within the first subtree as set forth further below.

[0040] At block 20, the system is further initiated by supplying eachreceiver u with private information I_(u) that is useful for decryptingcontent. Details of the private information I_(u) are set forth furtherbelow. If I_(u) is the secret information provided to receiver u, theneach receiver u in S_(j) can deduce L_(j) from its I_(u). As set forthmore fully below, given the revoked set R, the non-revoked receivers arepartitioned into m disjoint subsets S_(i1), . . . , S_(im) and ashort-lived session key K is encrypted m times with the long-livedsubset keys L_(i1), . . . , L_(im) associated with respective subsetsS_(i1), . . . , S_(im). The subset keys are explicit subset keys in thecomplete subtree method and are induced by subset labels in the subsetdifference method.

[0041] Specifically, at block 22 at least one session key K is selectedwith which to encrypt content that is broadcast in a message M, eithervia wireless or wired communication paths or via storage media such asCDs and DVDs. The session key K is a random string of bits that isselected anew for each message. If desired, plural session keys can beused to encrypt respective portions of the message M.

[0042] In both of the below-described methods, non-revoked receivers arepartitioned into disjoint subsets S_(i1), . . . , S_(im) at block 24using a tree. The subsets are sometimes referred to herein as“subtrees”, with the first method explicitly considering subtrees andthe second method regarding subtrees as being of the form “a firstsubtree minus a second subtree entirely contained in the first”. Eachsubset S_(i1), . . . , S_(im) is associated with a respective subset keyL_(i1), . . . , L_(im). While any data tree-like structure iscontemplated herein, for disclosure purposes it is assumed that the treeis a full binary tree.

[0043] Proceeding to block 26, in general the session key K is encryptedm times, once with each subset key L_(i1), . . . , L_(im). The resultingciphertext that is broadcast can be represented as follows, withportions between the brackets representing the header of the message Mand with i₁, i₂, . . . , I_(m) representing indices of the disjointsubsets:

<[i ₁ , i ₂ , . . . , i _(m) , E _(Li1)(K), E _(L12)(K), . . . , E_(Lim)(K)], F _(K)(M)>

[0044] In one embodiment, the encryption primitive F_(K) is implementedby XORing the message M with a stream cipher generated by the sessionkey K. The encryption primitive E_(L) is a method for delivering thesession key K to the receivers 16, using the long-lived subset keys. Itis to be understood that all encryption algorithms for F_(K), E_(L) arewithin the scope of the present invention. One preferred implementationof E_(L) can be a Prefix-Truncation specification of a block cipher.Assume {circle over (x)} represents a random string whose length equalsthe block length of E_(L), and assume that K is a short key for thecipher F_(K) whose length is, e.g., 56 bits. Then,[Prefix_(|K|)E_(L)({circle over (x)})⊕K] provides a strong encryption.Accordingly, the Prefix-Truncated header becomes:

<[i ₁ , i ₂ , . . . , i _(m) , U, [Prefix_(|K|) E _(Li1)(U)]⊕K, . . . ,[Prefix_(|K|) E _(Lim)(U)]⊕K], F _(K)(M)>

[0045] This advantageously reduces the length of the header to about m|K| bits instead of m |L|. In the case where the key length of E_(L) isminimal, the following can be used to remove the factor m advantage thatan adversary has in a brute-force attack which results from encryptingthe same string {circle over (x)} with m different keys. The string{circle over (x)} ⊕_(j) encrypted. That is,

<[₁ , i ₂ , . . . , i _(m) , U, [Prefix_(|L|) E _(Li1)(U⊕i ₁)]⊕K, . . ., [Prefix_(51 L|) E _(Lim)(U⊕i _(m))]⊕K], F _(K)(M)>

[0046] Having described preferred, non-limiting ways to implement theencryption primitives E and F, attention is now directed to FIG. 3,which shows the decryption logic undertaken by the receivers 16.Commencing at block 28, each non-revoked receiver u finds a subsetidentifier i_(j) in the ciphertext such that it belongs to the subsetS_(ij). As disclosed further below, if the receiver is in the revokedset R, the result of block 28 will be null. Next, at block 30 thereceiver extracts the subset key L_(ij) corresponding to the subsetS_(ij) using its private information I_(u). Using the subset key, thesession key K is determined at block 32, and then the message decryptedat block 34 using the session key K.

[0047] Two preferred methods for undertaking the above-described overalllogic are disclosed below. In each, the collection of subsets isspecified, as is the way keys are assigned to the subsets and a methodto cover non-revoked receivers using disjoint subsets from thecollection. In each, the set of receivers in the system establishes theleaves of a tree, such as but not limited to a full binary tree.

[0048] The first method to be discussed is the complete subtree methodshown in FIGS. 4-7. Commencing at block 36 in FIG. 4, an independent andrandom subset key L_(i) is assigned to each node v_(i) in the tree. Thissubset key L_(i) corresponds to a subset containing all leaves rooted atnode v_(i). Then, at block 38 each receiver u is provided with allsubset keys in the direct path from the receiver to the root. Asillustrated in brief reference to FIG. 7, the receivers u in the subsetS_(i) are provided with the subset key L_(i) associated with the nodev_(i), as well as with the keys associated with the node P, which liesbetween the receivers in S_(i) and the root of the tree.

[0049] When it is desired to send a message and revoke the ability ofsome receivers from decrypting the message, the logic of FIG. 5 isinvoked to partition non-revoked receivers into disjoint subsets.Commencing at block 40, a spanning tree is discovered that is defined bythe leaves in R, the set of revoked receivers. The spanning tree is theminimal subtree of the full binary tree that connects the “revoked”leaves, and it can be a Steiner tree. Proceeding to block 42, thesubtrees that have roots adjacent to nodes of degree one in the tree(i.e., nodes that are directly adjacent to the minimal tree) areidentified. These subtrees define a “cover” and establish the subsetsS_(i1), . . . , S_(im). The cover encompasses all non-revoked receivers.Accordingly, at block 44 the session key K is encrypted using thesubsets keys defined by the cover.

[0050] To decrypt the message, each receiver invokes the logic of FIG.6. Commencing at block 46, it is determined whether any ancestor node ofthe receiver is associated with a subset key of the cover by determiningwhether any ancestor node is among the set i₁, i₂, . . . , i_(m) in themessage header. The receiver's private information I_(u), which in thecomplete subtree method consists of its position in the tree and subsetkeys associated with ancestor nodes, is used to determine this. If anancestor is found in the message header (indicating that the receiver isa non-revoked receiver), the session key K is decrypted at block 48using the subset key, and then the message is decrypted using thesession key K at block 50.

[0051] In the complete subtree method, the header includes at mostr*log(N/r) subset keys and encryptions. This is also the average numberof keys and encryptions. Moreover, each receiver must store log N keys,and each receiver processes the message using at most log log Noperations plus a single decryption operation.

[0052] Now referring to FIGS. 8-13, the subset difference method forrevoking receivers can be seen. In the subset difference method, eachreceiver must store relatively more keys (0.5 log² N+0.5 log N+1 keys)than in the complete subtree method, but the message header includesonly at most 2r−1 subset keys and encryptions (1.25r on average), andthis is substantially shorter than in the complete subtree method. Also,in the subset difference method the message is processed using at mostlog N applications of a pseudorandom number generator plus a singledecryption operation.

[0053] Referring FIGS. 8 and 9, the subset difference method regardssubsets as being the difference between a larger subset A and a smallersubset B that is entirely contained in A. Accordingly, as shown a largersubtree is rooted at node v_(i) and a smaller subtree is rooted at nodev_(j) that descends from v_(i). The resulting subset S_(ij) consists ofall the leaves “yes” under v_(i) except for those leaves labelled “no”(and colored more darkly than the leaves labelled “yes”) under v_(j).FIG. 9 illustrates this, with the subset v_(ij) being represented by thearea within the larger triangle and outside the smaller triangle.

[0054] When it is desired to send a message and revoke the ability ofsome receivers from decrypting the message in the subset differencemethod, the above-described structure is used as shown in FIG. 10.Commencing at block 52, a spanning tree is discovered that is defined bythe leaves in R, the set of revoked receivers. The spanning tree is theminimal subtree of the full binary tree that connects the “revoked”leaves, and it can be a Steiner tree. Proceeding to block 54, a covertree T is initialized as the spanning tree. An iterative loop thenbegins wherein nodes are removed from the cover tree and subtrees areadded to the cover until the cover tree T has at most one node. Theoutput defines the cover for the non-revoked receivers.

[0055] More specifically, moving from block 54 to block 56, leaves v_(i)and v_(j) are found in the cover tree T such that their least commonancestor v contains no other leaves in T. At decision diamond 57 it isdetermined whether only one leaf exists in the cover tree T. If morethan a single leaf exists, the logic moves to block 58 to find nodes v₁,v_(k) in v such that v_(i) descends from v₁ and v_(j) descends fromv_(k) and such that v₁, v_(k) are children of v (i.e., are directdescendants of v without any intervening nodes between v and v₁, v_(k)).In contrast, when only a single leaf exists in T, the logic moves fromdecision diamond 57 to block 60 to set v_(i)=v_(j)=sole remaining leaf,place v at the root of T, and set v₁=v_(k)=root.

[0056] From block 58 or 60 the logic moves to decision diamond 62. Atdecision diamond 62, it is determined whether v₁ equals v_(i). It islikewise determined whether v_(k) equals v_(j). If v₁ does not equal v₁the logic moves to block 64 to add the subset S_(1, i) to T, remove fromT all descendants of v, and make v a leaf. Likewise, if v_(k) does notequal v_(j) the logic moves to block 64 to add the subset S_(k, j) to T,remove from T all descendants of v, and make v a leaf. From block 64 orfrom decision diamond 62 when no inequality is determined, the logicloops back to block 56.

[0057] With the above overall view of the subset difference keyassignment method in mind, a particularly preferred implementation isnow set forth. While the total number of subsets to which a receiverbelongs is as large as N, these subsets can be grouped into log Nclusters defined by the first subset i (from which another subset issubtracted). For each 1<i<N corresponding to an internal node in thefull tree, an independent and random label LABEL_(i) is selected, whichinduces the labels for all legitimate subsets of the form S_(ij). Fromthe labels, the subset keys are derived. FIG. 11 illustrates thepreferred labelling method discussed below. The node labelled L_(i) isthe root of the subtree T_(i), and its descendants are labelledaccording to present principles.

[0058] If G is a cryptographic pseudorandom sequence generator thattriples the input length, G_L(S) denotes the third left of the output ofG on the seed S, G_R(S) denotes the right third, and G_M(S) denotes themiddle third. Consider the subtree T_(i) of the cover tree T rooted atthe node v_(i) with label LABEL_(i). If this node is labelled S, its twochildren are labelled G_L(S) and G_R(S) respectively. The subset keyL_(i, j) assigned to the set S_(i, j) is the G_M of the label ofLABEL_(i, j) of node V_(j) derived in the subtree T_(i). Note that eachlabel S induces three parts, namely, the labels for the left and rightchildren, and the key of the node. Consequently, given the label of anode it is possible to compute the labels and keys of all itsdescendants. In one preferred embodiment, the function G is acryptographic hash such as the Secure Hashing Algorithm-1, althoughother functions can be used.

[0059]FIG. 12 shows how receivers decrypt messages in the subsetdifference method. Commencing at block 66, the receiver finds the subsetS_(i, j) to which it belongs, along with the associated label (which ispart of the private information of the receiver that allows it to derivethe LABEL_(i, j) and the subset key L_(i, j)). Using the label, thereceiver computes the subset key L_(i, j) by evaluating the function Gat most N times at block 68. Then, the receiver uses the subset key todecrypt the session key K at block 70 for subsequent message decryption.

[0060]FIG. 13 shows how labels and, hence, subset keys, are assigned toreceivers in the subset difference method. The labelling methoddisclosed herein is used to minimize the number of keys that eachreceiver must store.

[0061] Commencing at block 72, each receiver is provided with labels ofnodes that are not in the direct path between the receiver and the rootbut that “hang” off the direct path and that are induced by some nodev_(i), an ancestor of u. These labels establish the private informationI_(u) of the receiver at block 74, with subsequent message session keysbeing encrypted with subset keys derived from the labels at block 76.

[0062] Referring briefly to FIG. 14, the above principle is illustrated.For every v_(i) ancestor with label S of a receiver u, the receiver ureceives labels at all nodes 71 that are hanging off the direct pathfrom the node v_(i) to the receiver u. As discussed further below, theselabels are preferably all derived from S. In marked contrast to thecomplete subtree method, in the subset difference method illustrated inFIGS. 8-14 the receiver u does not receive labels from any node 73 thatis in the direct path from the receiver u to the node v_(i). Using thelabels, the receiver u can compute the subset keys of all sets (exceptthe direct path set) that are rooted at the node v_(i) by evaluating theabove-described function G, but can compute no other subset keys.

[0063] Conventional multicast systems lack backward secrecy, i.e., aconstantly listening receiver that has been revoked nonetheless canrecord all encrypted content, and then sometime in the future gain avalid new key (by, e.g., re-registering) which allows decryption of pastcontent. The present invention can be used in such scenarios to cure thelack of backwards secrecy by including, in the set of revoked receivers,all receiver identities that have not yet been assigned. This can bedone if all receivers are assigned to leaves in consecutive order. Inthis case, revocation of all unassigned identities results in a moderateincrease in message header size, but not proportionally to the number ofsuch identities.

[0064] The present invention also recognizes that it is desirable tohave concise encodings of the subsets i_(j) in the message header and toprovide a quick way for a receiver to determine whether it belongs to asubset i_(j). Assume that a node is denoted by its path to the root,with 0 indicating a left branch and 1 indicating a right branch. The endof the path is denoted by a 1 followed by zero or more 0 bits. Thus, theroot is 1000 . . . 000b, the rightmost child of the root is 01000 . . .000b, the leftmost child is 11000 . . . 000b, and a leaf is xxxx . . .xxxx1b.

[0065] As recognized herein, the path of a larger subtree's root is asubset of the path of a smaller subtree's root, so that the subsetdifference can be denoted by the root of the smaller subtree plus thelength of the path to the larger subtree's root. With this in mind, areceiver can quickly determine if it is in a given subset by executingthe following Intel Pentium® processor loop.

[0066] Outside the loop, the following registers are set up: ECXcontains the receiver's leaf node, ESI points to the message buffer (thefirst byte is the length of the path to the larger subtree root and thenext four bytes are the root of the smaller tree), and a static tableoutputs 32 bits when indexed by the length of the path, with the firstlength bits being 1 and the remaining bits being 0. loop: MOV BYTE EBX,[ESI++] MOV DWORD EAX, [ESI++] XOR EAX, ECX AND EAX, TABLE[EBX] JNZ loop

[0067] If a receiver falls out of the loop, it does not necessarily meanthat it belongs to the particular subset. It might be in the smallerexcluded subtree, and if so, it must return to the loop. However, sincein the vast majority of cases the receiver is not even in the largersubtree, almost no processing time is spent in the loop.

[0068] In a further optimization of the subset difference method, thesystem server does not have to remember each and every label, whichcould run into the millions. Instead, the label of the i^(th) node canbe a secret function of the node. The secret function could be a tripleDES encryption that uses a secret key to render the label of the i^(th)node when applied to the number i.

[0069] Having set forth the details of the Subset-Cover system withwhich the present invention can be used, attention is now directed toFIGS. 15 and 16. Commencing at block 100, a partition S of subsetsS_(i1), . . . , S_(im) is input to a suspected pirate clone device thathas been obtained by an authorized tracing agency. The initial partitionis induced by the current set of revoked devices, or, if no devices havebeen revoked, the initial partition S is the set of all users. Moving todecision diamond 102, it is determined whether the clone has decryptedthe content using the partition S in accordance with the above-disclosedprinciples of the Subset-Cover system, preferably in accordance withprinciples of the Subset Difference embodiment. A clone is considered tohave decrypted content if it is able to decrypt messages with somepredetermined probability, e.g., with p>0.5. In most practical clones,p=1. If the clone cannot decrypt, an encryption that defeats the clonehas been found, and the process accordingly ends at state 104.

[0070] If, however, the clone has successfully decrypted the content,the process moves to block 124. At block 124, the Subset Tracing logicof FIG. 16, described further below, is executed on the partition S toproduce a subset S_(ij), and the logic proceeds to block 106 to receivethe subset S_(ij). Proceeding to decision diamond 108, it is determinedwhether the subset S_(ij) has only a single traitor candidate, i.e.,whether the subset S_(ij) has only a single leaf. If so, the traitor hasbeen found, and the process indicates the j^(th) device as “traitor” andrevokes the traitor by removing it from the set of non-revoked receiversand placing it in the set R of revoked receivers at block 110. A newcover set S is thereby defined at block 111, and the process moves toblock 124, described more fully below.

[0071] When the subset S_(ij) has more than a single traitor candidate,the logic flows from decision diamond 108 to block 112, wherein the setS_(ij) is split into two child sets S¹ _(ij) and S² _(ij). This ispossible, owing to the bifurcation property of the Subset-Cover systems,wherein subtrees can be split roughly (but not necessarily precisely) intwo.

[0072] To realize an efficiency by reducing the length of the messagerequired to trace t traitors, one preferred implementation can move fromblock 112 to the subroutine shown in blocks 114-122. This subroutinefunctions to merge subsets that have not yet been found to containtraitors into a single, efficiently processed group. If such reductionis not desired, S_(1ij) and S_(2ij) are added to the cover and blocks114-122 are omitted.

[0073] At block 114, the child sets S¹ _(ij) and S² _(ij) are added to afrontier set F and are associated with each other as “buddy sets”. Next,at decision diamond 116 it is determined whether the set S_(ij) was inthe previous frontier set F (i.e., the set F as it existed before thechild sets S¹ _(ij) and S² _(ij) were added to it). If it was, thismeans that the set S_(ij) had a complementary, so-called “buddy” setthat was also in the frontier set F, and the “buddy” set (representingone or more receivers) is removed from the frontier set F at block 118.In this way, sets that have not yet been found to contain traitorcandidates are grouped together apart from the frontier set F.

[0074] From block 118 or from decision diamond 116 if the test resultthere was negative, the logic flows to block 120, wherein a cover C iscomputed for all the receivers u that are not represented in sets in thefrontier set F in accordance with Subset-Cover principles set forthabove. Specifically, the receivers represented by sets in the frontierset F are temporarily classified in the revoked set R, and then a coveris determined in accordance with the above principles. At block 122, anew partition S is defined to be the union of the cover C with thesubsets in the frontier set F. Then, the Subset Tracing logic of FIG. 16is executed on the new S at block 124 to produce another S_(ij), and thelogic loops back to block 106.

[0075] Accordingly, now considering the Subset Tracing logic of FIG. 16,commencing at block 126 the partition S is received. The logic governs asequence of steps; a typical step performs an encryption where the firstj subsets are encoded with a false key R_(K) having the same length asthe session key K. That is, when p is the probability that the clonedecrypts correctly with the partition S, a message is produced of theform

<E _(Li1)(R _(K)), E _(Li2)(R _(K)), . . . , E _(Lij)(R _(K)), E_(Li(j+1))(K), . . . , E _(Lim)(K), F _(K)(M)>

[0076] and p_(j) is the probability of decrypting when the first jsubsets contain the false key. If |p_(j−1)−p_(j)|>p/m then according tothe present invention S_(ij) contains a leaf representing a traitor. Tofind a probability p_(j), m² log(1/ε) experiments are undertaken todetermine how many times, out of the entire sequence of experiments, theclone outputs the real message M. In particular, if the clone does nothave any keys from the last m-j subsets (that encrypt the actual sessionkey K), it will never be able to determine M (other than by merechance).

[0077] Accordingly, a binary search is executed to efficiently find anS_(ij) containing a traitor, starting with the entire interval [0, m]and successively halving the interval using higher and lower bounds [a,b] (initialized at block 130 to [0, m]). Note that p₀=p and p_(m)=0.Further, in most practical cases p=1, i.e., the clone always decryptsduring normal operation.

[0078] The binary search starts at decision diamond 132, wherein it isdetermined whether the higher and lower bounds are one apart (indicatingthe end of the search). If so, the logic returns the index of the j^(th)traitor as being the higher bound b at block 134. Otherwise, the logicflows to block 136 to find the probability of the midpoint c of theinterval [a, b], i.e., the probability of decrypting when the first csubsets contain the false key and the others contain the true key.

[0079] In accordance with the present invention, the probability p_(j)that a message is successfully decrypted when the first j subsetscontain a false key is computed by repeatedly selecting a message Malong with a key K, encrypting M as Fk(M), encoding the first j subsetswith the false key and the last m-j subsets with the true key K, andobserving whether the clone decrypts M successfully.

[0080] Then, at decision diamond 138 it is determined whether absolutevalue of the difference between the midpoint probability and the lowerbound probability is at least equal to the absolute value of one-half ofthe difference between the lower and higher bound probabilities, i.e.,to determine whether |p_(c)−p_(a)|>|p_(c)−p_(b)|. If it is, the intervalis halved down at block 140 to [a, c] by making the higher bound b equalto the current midpoint c and by making the higher bound probabilityp_(b) equal to the midpoint probability p_(c). On the other hand, in theevent of a negative test at decision diamond 138, the logic flows toblock 142. At block 142, the interval is halved up to [c, b] by makingthe lower bound a equal to the current midpoint c and by making thelower bound probability p_(a) equal to the midpoint probability p_(c).The logic then loops back to decision diamond 132.

[0081] At block 136, the probability p_(c) of the midpoint is preferablycomputed to an accuracy of 1/m. To guarantee that p_(c) is estimatedaccurately with a probability of 1-ε it is required to observe (m²log(1/ε) queries to the clone.

[0082] Accordingly, the logic of FIG. 16 preferably uses m² log(m)log(1/ε) queries to the clone. If desired, a noisy binary search can beundertaken that assumes, at each step, that the correct decision isobtained with a probability of 1-Q, wherein Q is a value close to ½,e.g., Q=⅓. In a model where each answer is correct with some fixedprobability (e.g., greater than ⅔) that is independent of history, it ispossible to perform a binary search over m sets in log m+log 1/Qqueries. In the embodiment disclosed above, it can be assumed that themidpoint probability may yield a faulty value with probability Q. Thisimplies that the number of queries over the entire procedure can bereduced to m²(log m+log 1/Q) since m² queries are required at each stepto accurately compute p_(c) with probability 1-Q.

[0083] Traitors can be traced from more than one clone by running thetracing algorithm in parallel on the clones with the same input. Theinitial input is a partition S₀ that results from the set of all users,with none having been placed in the revoked set R. As the process movesforward, when the first clone “detects” a traitor in one of its sets itre-partitions accordingly (by moving the traitor to the revoked set R).The new partition is then input to all clones simultaneously. The outputof the simultaneous method is a partition (or “revocation strategy”)that renders all revoked receivers and clones invalid.

[0084] The present invention affords the ability to trace acomparatively large number of traitors using a relatively small message.It can be integrated seamlessly with the above-referenced Subset-Coversystem. Also, no a priori bound on the number of traitors that can betraced is required. Still further, the present invention functions byeither tracing the traitors or rendering the pirate clones uselessregardless of what the clone does to counter the tracing.

[0085] While the particular METHOD FOR TRACING TRAITOR RECEIVERS IN ABROADCAST ENCRYPTION SYSTEM as herein shown and described in detail isfully capable of attaining the above-described objects of the invention,it is to be understood that it is the presently preferred embodiment ofthe present invention and is thus representative of the subject matterwhich is broadly contemplated by the present invention, that the scopeof the present invention fully encompasses other embodiments which maybecome obvious to those skilled in the art, and that the scope of thepresent invention is accordingly to be limited by nothing other than theappended claims, in which reference to an element in the singular means“at least one”, not “only one”, unless otherwise stated in the claim.All structural and functional equivalents to the elements of theabove-described preferred embodiment that are known or later come to beknown to those of ordinary skill in the art are expressly incorporatedherein by reference and are intended to be encompassed by the presentclaims. Moreover, it is not necessary for a device or method to addresseach and every problem sought to be solved by the present invention, forit to be encompassed by the present claims. Furthermore, no element,component, or method step in the present disclosure is intended to bededicated to the public regardless of whether the element, component, ormethod step is explicitly recited in the claims. No claim element hereinis to be construed under the provisions of 35 U.S.C. §112, sixthparagraph, unless the element is expressly recited using the phrase“means for” or, in the case of a method claim, the element is recited asa “step” instead of an “act”.

We claim:
 1. A method for identifying or disabling at least one traitorreceiver with at least one associated unique, compromised decryption keyin a broadcast encryption system, comprising: receiving a set of subsetsderived from a tree defining leaves, each leaf representing a respectivereceiver; identifying at least one traitor subset from the set ofsubsets as containing at least one leaf representing a traitor receiver;and using the traitor subset, identifying or disabling the traitorreceiver.
 2. The method of claim 1, further comprising: determiningwhether the traitor subset represents at least one traitor receiver, andif so, dividing the traitor subset into two child sets.
 3. The method ofclaim 2, further comprising determining whether the traitor subset is amember of a frontier set, and if so, removing a complementary subsetfrom the frontier set.
 4. The method of claim 1, wherein the act ofidentifying or disabling includes encoding plural subsets of the set ofsubsets with a false key.
 5. The method of claim 4, further comprisingexecuting a binary search on the set of subsets using probabilities. 6.The method of claim 5, wherein the binary search ends by determiningthat the difference between a probability p_(j) of decrypting a messagewhen the first j subsets contain the false key and a probability p_(j−1)of decrypting a message when the first j−1 subsets contain the false keyis at least equal to a predetermined probability.
 7. The method of claim6, wherein the traitor subset is identified when |p_(j−1)−p_(j)|>p/m,wherein m is the number of subsets in the set of subsets.
 8. The methodof claim 1, wherein the set of subsets is generated by: assigning eachreceiver in a group of receivers respective private information I_(u);selecting at least one session encryption key K; partitioning receiversnot in a revoked set R into a set of disjoint subsets S_(i1), . . . ,S_(im) having associated subset keys L_(i1), . . . , L_(im); andencrypting the session key K and the false key with the subset keysL_(i1), . . . , L_(im).
 9. The method of claim 8, wherein the treeincludes a root and plural nodes, each node having an associated key,and wherein each receiver is assigned keys from all nodes in a directpath between a leaf representing the receiver and the root.
 10. Themethod of claim 8, wherein the tree includes a root and plural nodes,each node associated with a set of labels, and wherein each receiver isassigned labels from all nodes hanging from a direct path between thereceiver and the root but not from nodes in the direct path.
 11. Themethod of claim 10, wherein the revoked set R defines a spanning tree,and wherein the method includes: initializing a cover tree T as thespanning tree; iteratively removing nodes from the cover tree T andadding nodes to the cover tree T until the cover tree T has at most onenode.
 12. A computer program device, comprising: a computer programstorage device including a program of instructions usable by a computer,comprising: logic means for accessing a tree to generate a set ofsubsets of the tree, the tree including leaves representing at least onetraitor device characterized by a compromised key; logic means forencrypting a false key j times and for encrypting a session key m-jtimes, wherein m is a number of subsets in the set of subsets; logicmeans responsive to the means for encrypting for identifying a traitorsubset; and logic means for using the traitor subset to identify ordisable the traitor device.
 13. The computer program device of claim 12,further comprising: logic means for determining whether the traitorsubset represents at least one traitor device, and if so, dividing thetraitor subset into two child sets.
 14. The computer program device ofclaim 13, further comprising logic means for determining whether thetraitor subset is a member of a frontier set, and if so, removing acomplementary subset from the frontier set.
 15. The computer programdevice of claim 12, further comprising logic means for executing abinary search on the set of subsets using probabilities.
 16. Thecomputer program device of claim 15, wherein the binary search ends bydetermining that the difference between a probability p_(j) ofdecrypting a message when the first j subsets contain the false key anda probability p_(j−1) of decrypting a message when the first j−1 subsetscontain the false key is at least equal to a predetermined probability.17. The computer program device of claim 16, wherein the traitor subsetis identified when |p_(j−1)−p_(j)|>p/m, wherein m is the number ofsubsets in the set of subsets.
 18. The method of claim 12, wherein theset of subsets is generated by logic means including: logic means forassigning each receiver in a group of receivers respective privateinformation I_(u); logic means for selecting at least one sessionencryption key K; logic means for partitioning receivers not in arevoked set R into a set of disjoint subsets S_(i1), . . . , S_(im)having associated subset keys L_(i1), . . . , L_(im); and logic meansfor encrypting the session key K and the false key with the subset keysL_(i1), . . . , L_(im).
 19. The computer program device of claim 18,wherein the tree includes a root and plural nodes, each node having anassociated key, and wherein each receiver is assigned keys from allnodes hanging from a direct path between the receiver and the root butnot from nodes in the direct path.
 20. A computer programmed withinstructions to cause the computer to execute method acts including:using a false key to encode plural subsets representing statelessreceivers, at least one traitor receiver of which is associated with atleast one compromised key that has been obtained by at least one piratereceiver; and using the pirate receiver or a clone thereof, determiningthe identity of the traitor receiver, or rendering the pirate receiveror clone thereof useless for decrypting data using the compromised key.21. The computer of claim 20, wherein the subsets define a set ofsubsets, and the method acts undertaken by the computer further include:receiving the set of subsets derived from a tree defining leaves, eachleaf representing a respective receiver; identifying at least onetraitor subset from the set of subsets as containing at least one leafrepresenting the traitor receiver; and using the traitor subset,identifying the traitor receiver.
 22. The computer of claim 21, whereinthe method acts undertaken by the computer further comprise: determiningwhether the traitor subset represents at least one traitor receiver, andif so, dividing the traitor subset into two child sets.
 23. The computerof claim 22, wherein the method acts undertaken by the computer furthercomprise determining whether the traitor subset is a member of afrontier set, and if so, removing a complementary subset from thefrontier set.
 24. The computer of claim 21, wherein the act ofidentifying includes: encoding plural subsets of the set of subsets withthe false key.
 25. The computer of claim 24, wherein the method actsundertaken by the computer further comprise executing a binary search onthe set of subsets using probabilities.
 26. The computer of claim 25,wherein the binary search ends by determining that a probability p_(j)of decrypting a message when the first j subsets contain the false keyis at least equal to a predetermined probability.
 27. The computer ofclaim 26, wherein the traitor subset is identified when|p_(j−1)−p_(j)|>p/m, wherein m is the number of subsets in the set ofsubsets.
 28. The computer of claim 21, wherein the set of subsets isgenerated by: assigning each receiver in a group of receivers respectiveprivate information I_(u); selecting at least one session encryption keyK; partitioning receivers not in a revoked set R into a set of disjointsubsets S_(i1), . . . S_(im) having associated subset keys L_(i1), . . ., L_(im); and encrypting the session key K and the false key with thesubset keys L_(i1), . . . , L_(im), herein the tree includes a root andplural nodes, each node being associated with a set of labels, andwherein each receiver is assigned labels from all nodes hanging from adirect path between the receiver and the root but not from nodes in thedirect path.
 29. The method of claim 1, further comprising identifyingor disabling plural traitor receivers embodied in a clone.
 30. Themethod of claim 1, wherein the act of identifying or disabling includesencoding the first j subsets of the set of subsets with a false key.